UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure the application does not contain embedded authentication data.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6156 APP3350 SV-6156r1_rule IAIA-1 IAIA-2 High
Description
Authentication data stored in code could potentially be read and used by anonymous users to gain access to a backend database or application server. This could lead to immediate access to a backend server.
STIG Date
Application Security and Development STIG 2014-04-03

Details

Check Text ( C-14176r1_chk )
Review source code (including global.asa, if present), configuration files, scripts, HTML file, and any ASCII files to locate any instances in which a password, certificate, or sensitive data is included in code.

If credentials were found, check the file permissions on the offending file.

1) If the file permissions indicate that the file has no access control permissions (everyone can read or is world readable), this is a CAT I finding.

2) If there is a level of file protection that requires that at least authenticated users have read access, this is a CAT I finding.

3) If a level of protection exists that only administrators or those with a UID of 0 can read the file, this is a CAT II finding.

The finding details should note specifically where the offending credentials or data were located and what resources they enabled.
Fix Text (F-17025r1_fix)
Remove embedded authentication data stored in code, configuration files, scripts, HTML file, or any ASCII files.